Vulnerability Note VU#823971

Microsoft Internet Explorer contains a Channel Definition Format (CDF) cross-domain vulnerability

Original Release date: 08 Feb 2005 | Last revised: 09 Feb 2005

Overview

Microsoft Internet Explorer contains a vulnerability that may allow unintended information disclosure or remote code execution due to a flaw in handling Channel Definition Format (CDF) files.

Description

From the Microsoft Channel Definition Format description:

    Channel Definition Format (CDF) files can be used to organize a set of related Web pages into a logical hierarchy. A channel is a Web site described by a Channel Definition Format (CDF) file. The CDF file defines a hierarchy of the pages that are included in the channel. Besides defining the resources in the channel, the CDF file also specifies how each item will be used or displayed, and when the channel should be updated. For more information about CDF files, see the product documentation.

An attacker may be able to exploit the flaw in CDF file handling to execute code in the Local Machine Zone.

Impact

A remote attacker may be able to execute arbitrary code or access otherwise restricted information by crafting a malicious web page, then convincing a user to visit it by clicking on a link or email. The code would execute with the privileges of the user running Internet Explorer.

Solution

Apply an update
Microsoft Windows users should use Windows Update to automatically obtain the correct fixes, or apply the relevant patches outlined in Microsoft Security Bulletin MS05-014, described in Microsoft Knowledge Base Article 867282.


Install Windows XP Service Pack 2 (SP2)

Microsoft Windows XP SP2 includes a feature called Local Machine Zone Lockdown, as well as other improvements. The Local Machine Zone Lockdown prevents Internet Explorer and several other programs from evaluating script in the Local Machine Zone. While this does not remove the vulnerability, it does help prevent an attacker from executing script in the Local Machine Zone.

Read and send email in plain text format

Outlook 2003, Outlook 2002 SP1, and Outlook 6 SP1 can be configured to view email messages in text format. Consider the security of fellow Internet users and send email in plain text format when possible. Note that reading and sending email in plain text will not necessarily prevent exploitation of this vulnerability.

Do not follow unsolicited links

In order to convince users to visit their sites, attackers often use URL encoding, IP address variations, long URLs, intentional misspellings, and other techniques to create misleading links. Do not click on unsolicited links received in email, instant messages, web forums, or internet relay chat (IRC) channels. Type URLs directly into the browser to avoid these misleading links. While these are generally good security practices, following these behaviors will not prevent exploitation of this vulnerability in all cases, particularly if a trusted site has been compromised or allows cross-site scripting.

Use a different web browser

There are a number of significant vulnerabilities in technologies relating to the IE domain/zone security model, local file system (Local Machine Zone) trust, the Dynamic HTML (DHTML) document object model (in particular, proprietary DHTML features), the HTML Help system, MIME type determination, the graphical user interface (GUI), and ActiveX. These technologies are implemented in operating system libraries that are used by IE and many other programs to provide web browser functionality. IE is integrated into Windows to such an extent that vulnerabilities in IE frequently provide an attacker significant access to the operating system.

It is possible to reduce exposure to these vulnerabilities by using a different web browser, especially when viewing untrusted HTML documents (e.g., web sites, HTML email messages). Such a decision may, however, reduce the functionality of sites that require IE-specific features such as proprietary DHTML, VBScript, and ActiveX. Note that using a different web browser will not remove IE from a Windows system, and other programs may invoke IE, the WebBrowser ActiveX control (WebOC), or the HTML rendering engine (MSHTML).

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Microsoft CorporationAffected08 Feb 200508 Feb 2005
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

Thanks to the Microsoft Corporation for reporting this vulnerability.

This document was written by Ken MacInnis based primarily on information provided by the Microsoft Corporation.

Other Information

  • CVE IDs: CAN-2005-0056
  • Date Public: 08 Feb 2005
  • Date First Published: 08 Feb 2005
  • Date Last Updated: 09 Feb 2005
  • Severity Metric: 21.00
  • Document Revision: 12

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.